b"             OFFICE OF INSPECTOR GENERAL\n\n                         EVALUATION REPORT\n\n              FISCAL YEAR 2010 EVALUATION OF\n                NEA\xe2\x80\x99S COMPLIANCE WITH THE\n              FEDERAL INFORMATION SECURITY\n                  MANAGEMENT ACT OF 2002\n\n\n                                     REPORT NO. R-11-01\n\n                                        November 15, 2010\n\n\n\n\n                                    REPORT RELEASE RESTRICTION\n\nIn accordance with Public Law 110-409, The Inspector General Act of 2008, this report shall be posted on the National\nEndowment for the Arts (NEA) website not later than three (3) days after it is made publicly available with the\napproval of the NEA Office of Inspector General. Information contained in this report may be confidential. The\nrestrictions of 18 USC 1905 should be considered before this information is released to the public. Furthermore,\ninformation contained in this report should not be used for purposes other than those intended without prior\nconsultation with the NEA Office of Inspector General regarding its applicability.\n\x0c                               INTRODUCTION\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x99s information security programs and practices.\nThis report presents the results of our evaluation of NEA\xe2\x80\x99s information security program\nand practices for protecting its information technology (IT) infrastructure.\n\n\n                                 BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into law\non December 17, 2002. It replaced the Government Information Security Reform Act\n(GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n   \xe2\x80\xa2   Periodic risk assessments;\n   \xe2\x80\xa2   Policies and procedures that are based on risk assessments;\n   \xe2\x80\xa2   Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n   \xe2\x80\xa2   Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n   \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of information security\n       policies;\n   \xe2\x80\xa2   A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n   \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents; and\n   \xe2\x80\xa2   Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x99s\n       information systems.\n\n\nOffice of Management and Budget (OMB) Memorandum M-10-15, dated April 21, 2010,\nentitled FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2010 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including NIST Publication 800-12, An Introduction to Computer Security:\nThe NIST Handbook. This publication explains important concepts, cost considerations,\nand interrelationships of security controls as well as the benefits of such controls. NIST\n                                            2\n\x0calso has published a Guide for Developing Security Plans for Information Technology\nSystems; Special Publication 800-37 Rev. 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems; A Security Life Cycle Approach; Special\nPublication 800-53, Recommended Security Controls for Federal Information Systems;\nand FIPS PUB 199, Standards for Security Categorization of Federal Information and\nInformation Systems. In addition, guidance is found in the Government Accountability\nOffice publication, Federal Information System Controls Audit Manual (FISCAM).\n\nNEA\xe2\x80\x99s Office of Information and Technology Management (ITM) maintains and\noperates two of the Agency\xe2\x80\x99s three core systems on a local area network (LAN). These\nare the Grants Management System (GMS), which contains information on grant\napplications and the Automated Panel Bank System (APBS), which contains information\non panelists who review grant applications. NEA has contracted with the Department of\nTransportation (DOT) Enterprise Service Center to host its Financial Management\nSystem (FMS) through DOT\xe2\x80\x99s Delphi Financial Management System and the U.S.\nDepartment of Agriculture (USDA) National Finance Center for payroll services. NEA\nhas also contracted with other providers for email, grant application process and its\npersonal identity verification program (PIV). ITM operates support systems for internet\nand intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x99s networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x99s information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x99s IT\nsecurity policies and procedures and privacy management program. It also included\ninterviews with responsible agency officials managing the IT systems, and tests on the\neffectiveness of security controls.\n\n\n                           PRIOR EVALUATION\nThe NEA Office of Inspector General (OIG) issued a report entitled Fiscal Year 2009\nEvaluation of NEA\xe2\x80\x99s Compliance with the Federal Information Security Act of 2002\n(Report No. R-10-02) dated January 22, 2010 (rev. 2/26/10). The report had seven (7)\nrecommendations. Corrective actions have been implemented for six (6) of the\nrecommendations. The remaining recommendation addresses unimplemented corrective\nactions in NEA\xe2\x80\x99s Change Management program.\n\n\n\n\n                                            3\n\x0c                          EVALUATION RESULTS\nThe FY 2010 FISMA evaluation concluded that NEA\xe2\x80\x99s Office of Information and\nTechnology Management (ITM) have established a security program for protecting its\ninformation technology (IT) infrastructure. However, we identified several issues that\nneed to be addressed by ITM to strengthen its security program and increase its compliance\nwith FISMA and NIST requirements. The issues are related to contractor systems\noversight, IT security and privacy awareness training, security incident reporting, plans of\naction and milestones (POA&Ms) and change management program. Details of our\nevaluation are presented in the following narrative.\n\n\n\nPrivacy Reporting and Privacy Impact Assessment\nThe FY 2010 FISMA guidance included additional questions on security and privacy\npolicies, which requires agencies to submit information on privacy issue allegations,\npolicies and the types of privacy reviews ITM conducted. OMB directed agencies to\nsubmit their most current documentation related to OMB Memorandum M-07-16, of\nMay 22, 2007, \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally\nIdentifiable Information,\xe2\x80\x9d (PII). OMB Memorandum M-07-16 requires agencies to\nreview their use of Social Security Numbers (SSN), in agency systems and programs, in\norder to identify instances in which collection or use is superfluous.\n\nTo comply with the requirements above, NEA\xe2\x80\x99s ITM has:\n\n   \xe2\x80\xa2   Implemented PII policies regarding breach notification and rules of behavior;\n   \xe2\x80\xa2   Completed technical security assessments to evaluate the level of security\n       protecting NEA IT assets;\n   \xe2\x80\xa2   Reviewed PII holdings and updated the system of records notice to include OMB\n       recommended \xe2\x80\x9croutine uses\xe2\x80\x9d of PII language; and\n   \xe2\x80\xa2   Modified security orientation and privacy training for all NEA staff to include\n       responsibility to protect Agency information and technology assets.\n\nITM\xe2\x80\x99s review of PII holdings determined that (1) NEA collects only PII that is relevant\nand necessary for administrative purposes and (2) there are adequate administrative,\ntechnical and physical safeguards in place for the PII collected. NEA does not use SSNs,\ntruncated SSNs, or any part of SSNs as tracking numbers for its applications, grants,\ncooperative agreements or contracts. NEA does not share PII with outside agencies other\nthan for processing payments. ITM indicated there have been no reported breaches or\nsecurity incidents involving PII collected or maintained by the Agency. ITM also\nindicated that there were no changes to the policy since the 2008 FISMA status report on\nPII and SSNs which was issued September 18, 2008.\n\n\n\n\n                                             4\n\x0cFinancial Management System\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x99s (ESC) Oracle Federal Financial System, Delphi, as their\nfinancial management system.\n\nOMB requires that such service organizations provide client agencies with an\nindependent report describing system controls. To comply with this requirement, DOT\nOIG hired an independent contractor, Clifton Gunderson, LLP, to conduct a review on\nthe computer controls over the information technology and data processing environment,\nas well as the input processing, and output controls built into the Delphi system, which is\nused by multiple Federal agencies; and the Consolidated Automation System for Time\nand Labor Entry (CASTLE), which is used to support DOT operations only.\n\nThe audit concluded that management\xe2\x80\x99s description of controls presents fairly, in all\nmaterial respects, the controls that have been placed in operation as of June 30, 2010. In\naddition, controls are suitably designed and were operating effectively except in the areas\nof configuration management and access controls. Specifically, the Delphi system\noperated on a database for which the vendor stopped providing security updates in\nFebruary 2009. Furthermore, ESC did not apply in a timely manner critical security\nupdates that the vendor had provided, and did not assess the system for vulnerabilities\nand risks associated with the vulnerabilities. The DOT Deputy Chief Financial Officer\nhas committed to implementing corrective actions.\n\n\nPayroll System\nNEA uses the U.S. Department of Agriculture (USDA) National Finance Center (NFC)\nas its payroll provider. In September 2010, the USDA OIG issued its Statement on\nAuditing Standards Number 70 Report, Review of the Department of Agriculture Office\nof the Chief Financial Officer/National Finance Center (OCFO/NFC). The review\nconcluded that the OCFO/NFC\xe2\x80\x99s \xe2\x80\x9cdescription of controls presented fairly, in all material\nrespects, the relevant aspects of OCFO/NFC.\xe2\x80\x9d Also, in their opinion, \xe2\x80\x9cthe controls\nincluded in the description were suitably designed and operating with sufficient\neffectiveness to provide reasonable assurance that associated control objectives would be\nachieved if customer agencies and subservice organizations applied the controls\ncontemplated in the design of NFC\xe2\x80\x99s controls.\xe2\x80\x9d There were no recommendations in the\nreport.\n\n\nContractor Systems Oversight Program\nOMB\xe2\x80\x99s FY 2010 FISMA instructions, states that \xe2\x80\x9ceach agency must ensure their contractors\nare abiding by FISMA requirements.\xe2\x80\x9d Section 3544(a)(1)(A)(ii) describes Federal agency\nsecurity responsibilities as including \xe2\x80\x9cinformation systems used or operated by an agency or\nby a contractor of an agency or other organization on behalf of an agency. Therefore, Federal\n                                              5\n\x0csecurity requirements continue to apply and the agency is responsible for ensuring\nappropriate security controls (see OMB Circular A-130, Appendix III). Agencies must\ndevelop policies for information security oversight of contractors and other users with\nprivileged access to Federal data. Agencies must also review the security of other users with\nprivileged access to Federal data and systems.\xe2\x80\x9d\n\nWe obtained and reviewed agreements, including Interconnection Security Agreements\nand Memorandums of Understanding (MOU) with service providers. We found that ITM\ndoes not properly document, authorize or maintain interface agreements as required by\nFISMA and OMB. Details of our review are below.\n\n   1. GSA \xe2\x80\x93 HSPD-12 Shared Services Solution to provide Federal employees and\n      contractors with HSPD-12 compliant Personal Identity Verification credentials.\n      The Interconnection Security Agreement was executed in July 2008 for one year.\n      The agreement provided by ITM had only one signature, the NEA-CIO.\n\n   2. Grants.gov - provide federal grant applicants with a system through which they\n      can search for federal funding opportunities, download grant packages and submit\n      completed applications. The agreement was executed April 20, 2010 and is valid\n      for three years.\n\n   3. DOT \xe2\x80\x93 Memorandum of Understanding to provide financial management\n      services. The agreement was dated November 3, 2005 and was valid for three\n      years which expired in 2008. The MOU provided by ITM was not signed by\n      either organization.\n\n   4. USDA \xe2\x80\x93 NFC MOU to provide payroll services. The agreement was dated July 9,\n      2007 and was valid for three years from the date of the last signature. The MOU\n      was not signed by either organization.\n\n   5. New World Apps \xe2\x80\x93 email services provider. There is no agreement in place with\n      this contract provider.\n\nWe recommend that ITM immediately execute memorandums of understanding or\ninteragency agreements with all contracted services providers utilizing interconnections\nwith NEA IT systems that require assessments under FISMA. ITM should also develop\nand implement procedures to adequately monitor contractors and ensure that contractor\nsystems are compliant with FISMA and OMB requirements.\n\nSubsequent to our review, ITM provided a copy of an executed agreement with DOT\ndated November 3, 2010 and is valid for three years. The ISSO also informed us that\nthey are in the process of executing agreements with GSA, USDA-NFC and New World\nApps. The expected date of completion for agreements with GSA and USDA-NFC is\nNovember 19, 2010. The expected date of completion with New World Apps is\nJanuary 15, 2011.\n\n\n                                              6\n\x0cIT Security and Privacy Awareness Training\nNIST Special Publications 800-50, Building an Information Technology Security\nAwareness and Training Program and 800-16, Information Technology Security Training\nRequirements: A Role- and Performance-Based Model provide the standards for security\nawareness and training. ITM combined IT Security and Privacy Awareness Training in\nthe FY 2008 Annual Refresher Training and included computer incident reporting in FY\n2009.\n\nWe obtained and reviewed the FY 2010 IT Security and Privacy Awareness Refresher\ntraining materials and notification sent to employees by email. We found that although\nthe email included instructions and information on the requirement for refresher training;\nit did not include a required date of completion. A required due date provides a standard\nto evaluate timely completion. We also found that the FY 2010 security awareness\ntraining did not include information on computer incidents and reporting.\n\nWe obtained and reviewed the list of employees who had completed the FY 2010 security\nawareness training and determined that 97% of the staff completed the required Annual\nIT Security and Privacy Awareness Refresher training on security awareness and privacy\n(179 completed, 7 did not complete).\n\nSubsequent to our review, 100% of the NEA staff had completed the training.\n\nWe recommend that ITM includes a required date of completion when administering its\nsecurity awareness refresher training. We also recommend that ITM includes computer\nincident and reporting in its annual security awareness training.\n\n\nComputer Security Incidents Reporting Program\nNEA has formalized a \xe2\x80\x9cComputer Security Incident Policy\xe2\x80\x9d (revised January 2010),\nwhich (1) identifies the type of activity characterized as a computer security incident, and\n(2) defines the steps to be taken to report a computer security incident. The policy\napplies to all permanent and temporary employees, including contractors who utilize\nNEA\xe2\x80\x99s computer equipment and systems. Appendix III to OMB Circular A-130 states:\n\n       When faced with a security incident, an agency should be able to respond in a manner that\n       both protects its own information and helps to protect the information of others who might be\n       affected by the incident. To address this concern, agencies should establish formal incident\n       response mechanisms. Awareness and training for individuals with access to the system\n       should include how to use the system\xe2\x80\x99s incident response capability.\n\nDuring our review of the Computer Security Incident Policy and ITM\xe2\x80\x99s security\nwebpage, we noted that although the policy directs staff to report incidents to the ITM\nHelp Desk, the security webpage directs staff to report incidents to the ISSO. For timely\nand effective response, incidents should be reported to the helpdesk as directed by ITM\nsecurity policy.\n\n                                                    7\n\x0cWe recommended that ITM ensure that the Computer Security Incident Policy and\nwebsite instructions for reporting computer incidents are consistent. We suggest that\nITM consider adding a link for reporting computer incidents to the front webpage for\neasier access by users.\n\nSubsequent to our review, ITM revised the intranet website instructions to report\ncomputer incidents to the helpdesk in accordance with the Computer Security Incident\nPolicy.\n\nWe obtained and reviewed incident reports submitted during FY 2010. There were three\ncomputer security incidents reported. Two have been resolved and closed. The\nremaining incident involves computer-related theft, a potential breach of personally\nidentifiable information. NEA Administrative Services Division was notified of the\nincident; however, according to the ITM Computer Incident Policy, both \xe2\x80\x9cNEA\xe2\x80\x99s\nAdministrative Services Division and the Federal Protective Service will be notified of all\ncomputer-related thefts.\xe2\x80\x9d There is no indication on the report that the Federal Protective\nService was notified. In addition, the ITM policy states that computer incident reports should\nbe submitted to the Inspector General quarterly. Quarterly reports have not been submitted to\nthe OIG.\n\nSubsequent to our review, the OIG was notified by the ITM ISSO that the incident regarding\nthe computer theft was reported to the Federal Protective Service by the NEA Administrative\nServices Division.\n\nOMB Memorandum, M-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information, states, in part, that agencies should notify law\nenforcement agencies and Inspectors General of actual or suspected breaches involving\npersonally identifiable information. The OIG did not receive notification of this incident.\nWe recommend that ITM complies with its policy on reporting computer security incidents\ninvolving potential breach of PII information and FISMA requirements. We also recommend\nthat ITM revises its computer incident policy to include notification to the OIG of actual or\nsuspected breaches involving personally identifiable information.\n\nSubsequent to our review, ITM revised its policy to include the notification of the OIG of\nall computer theft related incidents.\n\n\nInventory Controls\nNEA has an inventory of its hardware that was updated as of October 14, 2010. The\nperpetual inventory listing is maintained and updated as equipment is added or deleted.\nThe inventory lists each item by office, barcode number, serial number, manufacturer,\nmodel number and description, as well as the user. It also indicates the date the inventory\nwas taken and the initials of the person who took the inventory.\n\n\n\n                                              8\n\x0cChange Management Program\nITM issued its revised Change Management Policy/Procedure in February 2010. This\npolicy \xe2\x80\x9cdescribes the responsibilities, policies, and procedures to be followed by ITM\nwhen making changes or recording events to the National Endowment for the Arts IT\ninfrastructure.\xe2\x80\x9d It also states that the \xe2\x80\x9cChange Management Process is designed to also\nprovide an orderly method in which changes to the IT environment are requested and\napproved prior to the installation or implementation.\xe2\x80\x9d It defines \xe2\x80\x9cchange\xe2\x80\x9d and \xe2\x80\x9cevent\xe2\x80\x9d as\nfollows:\n\n   Change: to transform, alter, or modify the operating environment or standard operating procedures;\n   any modification that could have a potential and/or significant impact on the stability and reliability of\n   the infrastructure and impacts conducting normal business operation by our users and ITM; any\n   interruption in building environments (i.e., electrical outages) that may cause disruption to the IT\n   infrastructure.\n\n   Event: any activity outside of the normal operating procedures that could have a potential and/or\n   significant impact on the stability and reliability of the infrastructure, i.e. a request to keep a\n   system up during a normal shutdown period.\n\nThe change management process requires that an approved change request form be\nsubmitted to the Information System Security Officer (ISSO). In our FY 2006 through\n2009 evaluations, we noted that changes we made to the system, without approved\nchange requests. In FY 2008 and 2009, we found that no change requests had been\nsubmitted to the ISSO.\n\nIn our FY 2009 evaluation, we recommended that ITM revise, approve and implement\nthe NEA Change Management Policy/Procedure as required by its Standard Procedures\nfor Developing Information Technology Policies. We also recommended that the CIO\ndirect staff to adhere to those procedures.\n\nITM submitted a revised, approved change management policy and in February 2010, the\nCIO directed the staff to adhere to the change management policy. However, this year,\nwe again requested copies of approved change management request forms and found that\nno submissions had been made.\n\nAs part of the FY 2010 Annual FISMA reporting instructions, the IG is required to report\non the status of the agency\xe2\x80\x99s Certification and Accreditation program. Included in the\nassessment is the agency\xe2\x80\x99s process for tracking changes to information systems as\ndirected by NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems A Security Life Cycle Approach, which states\nin part:\n\n       A disciplined and structured approach to managing, controlling, and documenting changes\n       to an information system or its environment of operation is an essential element of an\n       effective security control monitoring program.\n\n\n\n\n                                                     9\n\x0cWe again recommend that the CIO directs the ITM staff to adhere to its change\nmanagement policy and monitor the change management process to ensure compliance.\n\n\n\nNIST Self-Assessment and Plans of Action and Milestones (POA&Ms)\nOMB FY 2010 FISMA instructions direct Inspectors General to determine whether the\nAgency has established and is maintaining a certification and accreditation program that\nis generally consistent with NIST and OMB's FISMA requirements. An external risk\nassessment was performed in FY 2008 and is valid for three years, or until 2011. ITM\nalso performed a certification and accreditation site assessment in July 2010. Our review\nfound that NEA has an established certification and accreditation program in accordance\nwith both NIST and OMB\xe2\x80\x99s FISMA requirements.\n\nOMB\xe2\x80\x99s instructions also direct Inspectors General to review the status of the agency\xe2\x80\x99s\nPOA&Ms program. The program should be consistent with NIST and OMB\xe2\x80\x99s FISMA\nrequirements and include written policies for managing security weaknesses. The\nprogram should also include reports to the CIO, on a regular basis, at least quarterly, on\nthe progress of remediation. During our review, we found that ITM had not developed\nwritten policies for its POA&Ms program.\n\nWe also reviewed the quarterly FISMA submissions for the past year to determine\nwhether ITM was reporting all of its POA&Ms which were unresolved more than 90 to\n120 days beyond the planned remediation date.\n\nOur review of the quarterly FISMA reports submitted to OMB noted the following\nPOA&Ms:\n\n   \xe2\x80\xa2    March 2010 (2)\n\n   \xe2\x80\xa2   June 2010     (0)\nTherefore, as of the June 2010 FISMA quarterly report, there were no outstanding\nsecurity issues which had not been resolved 90 to 120 days beyond the planned remediate\ndate.\n\nWe recommend that ITM develop and implement written policies and procedures for its\nPOA&Ms program consistent with NIST and OMB\xe2\x80\x99s FISMA requirements. The policy\nshould include procedures for regular reporting on the progress of remediation to the\nCIO, at least quarterly.\n\n\n\n\n                                            10\n\x0cContinuous Monitoring Program\nOMB\xe2\x80\x99s FY 2010 FISMA instructions, describes continuous monitoring of security\ncontrols as a cost-effective and important part of managing enterprise risk and\nmaintaining an accurate understanding of the security risks confronting the agency\xe2\x80\x99s\ninformation systems. Continuous monitoring of security controls is required as part of the\nsecurity authorization process to ensure controls remain effective over time in the face of\nchanging threats, missions, environments of operation, and technologies. A robust and\neffective continuous monitoring program will ensure important procedures included in an\nagency\xe2\x80\x99s security authorization package (e.g., as described in system security plans,\nsecurity assessment reports, and POA&Ms) are updated as appropriate and contain the\nnecessary information for authorizing officials to make credible risk-based decisions\nregarding the security state of the information system on an ongoing basis.\n\nDuring our review, we found that ITM has established a continuous monitoring program.\nHowever, we found that ITM has not developed written policies and procedures for its\nprogram. In addition, by implementing the above recommendations in its Change\nManagement, POA&Ms and Contract Oversight Programs, the continuous monitoring\nprogram will be further strengthened.\n\nWe recommend that ITM develop and implement written policies and procedures for its\ncontinuous monitoring program consistent with NIST and OMB\xe2\x80\x99s FISMA requirements.\nThe policy should include ITM\xe2\x80\x99s strategy and plans for continuous monitoring, such as\nvulnerability scanning, log monitoring and notification of unauthorized devices. OMB\ndirects agencies to review NIST Special Publications 800-37 Rev.1, 800-53, and 800-53A\nfor guidance on continuous monitoring programs.\n\n\n                             EXIT CONFERENCE\nAn exit conference was held with ITM officials on November 15, 2010. The officials\ngenerally concurred with our findings and recommendations and agreed to initiate\ncorrective actions.\n\n\n                           RECOMMENDATIONS\nWe recommend that the NEA Office of Information and Technology Management:\n\n1. Execute memorandums of understanding or interagency agreements with all\n   contracted services providers utilizing interconnections with NEA IT systems that\n   require assessments under FISMA.\n\n2. Develop and implement procedures to adequately monitor contractors and ensure that\n   contractor systems are compliant with FISMA and OMB requirements.\n\n\n                                            11\n\x0c3. Include a required date of completion and information on computer security incidents\n   and reports in its security awareness refresher training.\n\n4. Complies with its policy on reporting computer security incidents involving potential\n   breach of PII information and FISMA requirements.\n\n5. The CIO directs the ITM staff to adhere to its change management policy and\n   monitor the change management process to ensure compliance.\n\n6. Develop and implement written policies and procedures for its POA&Ms program\n   consistent with NIST and OMB\xe2\x80\x99s FISMA requirements. The policy should include\n   procedures for regular reporting on the progress of remediation to the CIO, at least\n   quarterly.\n\n7. Develop and implement written policies and procedures for its continuous\n   monitoring program consistent with NIST and OMB\xe2\x80\x99s FISMA requirements. The\n   policy should include ITM\xe2\x80\x99s strategy and plans for continuous monitoring, such as\n   vulnerability scanning, log monitoring and notification of unauthorized devices.\n\n\n\n\n                                            12\n\x0c"